The power of adaptability through experience.

By Red Siege | November 3, 2022

By: Mike Saunders, Principal Security Consultant

tldr: With experience comes the ability to adapt to challenges, and even experienced testers need to phone a friend now and then.

In the Beginning…

When we’re new at anything, we’re naturally not going to be good at it. We couldn’t run until we learned to flip ourselves over, then to crawl, and eventually walk. You can’t learn to read until you learn to recognize individual letters, then learn how those letters form a word, and learn what that word means. As a penetration tester, you’re not going to be an ace out of the gate. You will struggle. You will get frustrated.

As a new tester, it’s often helpful to follow a guide, or a script, if you will. The script tells you to run this command, look for that output, run this other command, etc. To ensure good coverage and repeatable results, experienced testers often follow a script as well. The separation of the beginner tester from the experienced tester comes when a given situation doesn’t follow the script.

Story Time

What follows is a short story about encountering obstacles and using experience to solve those problems.

I was recently performing an Assumed Breach test of a large global network. The network consisted of over 14,000 hosts spread across the globe in data centers, remote offices, and VPN connections. I was performing the test from a laptop connected to the VPN.

I often refer to myself as a file archeologist more than a penetration tester. Simply put, there are always credentials on a share somewhere that will yield the keys to the kingdom. To this end, on assessments where I’m not trying to stay hidden, I usually perform network enumeration to identify accessible shares. Depending on the situation, this could be accomplished with PowerView or SharpView‘s Find-DomainShare, EDD‘s getreadabledomainshares, or other tools. Unfortunately for me, due to the large, distributed network and my VPN connectivity, attempts to enumerate shares with these methods were’t working. The tools failed to return output. time to adapt, improvise, and overcome.

There’s More Than One Way to Do It

While the aforementioned tools are how I would normally accomplish this task, given a limited time window and a need to produce results, it was time to find a different solution. I know from previous experience that I typically find credentials on central file shares and on IIS servers with their web roots shared out. With this in mind, I turned to information I had already enumerated from the network to find likely targets.

I had previously performed enumeration with SharpHound. I knew this enumeration likely contained everything I needed to get started. I used a simple Python script to parse out the information I needed.

#!/usr/bin/python3

import sys
import datetime
import simplejson

if len(sys.argv) == 1:
    print ("Usage: " + sys.argv[0] + " bloodhound_computers.json")
    sys.exit()

bhfile = sys.argv[1]
with open(bhfile) as data_file:
    data = simplejson.load(data_file)

print ("name,enabled,operatingsystem,description,DN")
for i in data['computers']:
    oname = i['Properties']['name']
    oenabled = i['Properties']['enabled']
    os = i['Properties']['operatingsystem']
    odescription = i['Properties']['description']
    odn = i['Properties']['distinguishedname']
    print("%s,%s,%s,%s,%s" %(oname,oenabled,os,odescription,odn))

After parsing out the data, I searched for systems described as “File Server.” I also observed the domain had a specific OU for IIS servers. I took a decidedly low-tech approach and used Windows Explorer to review the files. In short order, I found two IIS servers with shared web roots that contained web.config files with unencrypted credentials.

Those credentials didn’t get me far, but they did give me admin access to 12 servers. I used those credentials to search C$ on the servers where I now had admin access and found an unattended installation answers file that contained unencrypted credentials for another account.

Using BloodHound to analyze attack paths, I found this new account had admin access to a server where a service account with membership in the Account Operators group was running. That group, in turn, had GenericWrite privileges to the Domain Admins group.

At that point, I was able to RDP to the target server and establish a new beacon running with administrative privileges. I then used Cobalt Strike’s steal_token command to steal an access token from a process running as the target service account.

While PowerView and SharpView both have a Add-DomainGroupMember function, I wasn’t able to execute PowerShell and SharpView failed for some unknown reason. In the interest of full disclosure, and to show that even experienced testers need to ask for help, I asked Chris Truncer if he knew of any tool that could accomplish the task. As EDD’s author, he helpfully told me that EDD had that capability through the joingroupbyname function. At that point, it was a quick inlineExecute-Assembly of EDD’s joingroupbyname function to add my user to the Domain Admins group, accomplishing the task of compromising the client’s AD.

Closing Time

Whether you’re new to the game, or you’ve been around for years, you will encounter situations where your tools don’t work the way you need them to. Being flexible and being able to draw on your past experiences to find a different solution is the key to growing and evolving as a tester.

 

About Principal Security Consultant Mike Saunders

Mike Saunders has over 25 years of experience in IT and security and has worked in the ISP, financial, insurance, and agribusiness industries. He has held a variety of roles in his career including system and network administration, development, and security architect. Mike been performing penetration tests for nearly a decade. Mike is an experienced speaker, speaking at conferences such as DerbyCon, Circle City Con, regional BSides including Minneapolis , Kansas City, and Winnipeg, SANS Enterprise Summit, the NDSU Cyber Security Conference, and SANS and Red Siege webcasts. He has participated multiple times as a member of NCCCDC Red Team.

Certifications:
GCIH, GPEN, GWAPT, GMOB, CISSP, and OSCP

Connect on Twitter & LinkedIn

Introduction to Sliver

By Red Siege | November 7, 2022

By: Justin Palk, Security Consultant Around the time Tim decided he was going to give a Siegecast on selecting a C2, I finished building out a test Windows AD domain […]

Learn More
Introduction to Sliver

Moving beyond T4 – Deconstructing Nmap Tuning

By Red Siege | July 6, 2022

by Alex Norman, Senior Security Consultant Nmap -T4 -iL targets.txt This is a very common scan string that many people use to get initial recon done on assessments and, to […]

Learn More
Moving beyond T4 – Deconstructing Nmap Tuning

Creating a Simple Windows Domain for Offensive Testing: Part 4

By Red Siege | June 23, 2022

By: Justin Palk, Security Consultant This is part four of my series of blog posts on creating a windows domain for offensive security testing. In part 1, I stood up […]

Learn More
Creating a Simple Windows Domain for Offensive Testing: Part 4

Find Out What’s Next

Stay in the loop with our upcoming events.